Voice of VOIPSA

The U.S. Department of Homeland Security recently issued a bulletin titled “TDoS Attacks on Public Safety Communications” and while it was “Law Enforcement Use Sensitive/For Official Use Only” a copy was obtained by Brian Krebs who wrote about it on his site and also published the DHS bulletin publicly.

This resulted in a small flurry of related articles that Mark Collier listed on his VoIP security blog. Most of the articles, unfortunately somewhat predictably, seem to be rehashes of Brian Krebs’ post and/or the DHS bulletin.  However, the point is definitely solid – these are real attacks that are happening on call centers out there, including those operated by emergency services organizations.  No one wants to be on the receiving end of hundreds (or thousands) of phone calls clogging up your call center and making it unusable for regular business.

The connection to VoIP is that made by Brian Krebs in his article:

According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.

This is the key point.  VoIP systems make these kind of attacks much easier to create.  Anyone can take one of the various free VoIP servers and create a script that will generate a crazy number of phone calls.  And of course the Caller-ID can be easily spoofed using the same servers.  I’m sure there are already scripts out there that automate all of this for would-be attackers.

The challenge is then finding either a VoIP service provider (or “ITSP” or “SIP Service Provider”) who will let the attacker send out phone calls to the PSTN – or to find victims that allow incoming SIP connections (which means that attacks could come from any Internet connection).  Or to find components of the SIP signaling infrastructure that have weak (or no) authentication and through which an attacker can send calls.  For example, SIP gateways that allow incoming SIP calls with minimal (or easily spoofable) authentication.

It’s not necessarily easy to do, but VoIP systems do make it easier than it was in the past, largely because the attackers can obtain a degree of anonymity through masking their source, and also because of the automation of the calling possible through the systems.

Defending against a TDoS is not the easiest, particularly when the attackers can use spoofed Caller IDs to hide their origin.  Here is a place where VoIP actually helps because if the calls are coming in over IP, firewalls and other network monitoring tools can be used to recognize patterns and potentially identify and block sources of the attacks.  There are companies such as SecureLogix (whose CTO is Mark Collier, whom I linked to earlier) who do sell products and services to help address these threats. As we increasingly move to IP-based communications there will no doubt be many more companies and service providers offering such services.

We as an industry do need to do what we can to help people understand both the threat posed by these attacks, and also the mitigations and possible solutions.

In the meantime, expect more people to be talking about this issue due to this DHS bulletin and the surrounding attention in the media.

What do you think?  What should be done within the VoIP vendor/organization community?  What are good steps to promote to defend against TDoS attacks?

Should we still be talking about “VoIP security”? Or should we be using some other language?

Back when we started VOIPSA in 2005, “voice over IP (VoIP)” was the term we all were using, but as we look at what kind of activities come next, we’re starting to wonder if we should be talking about “communications security” a bit differently.

For starters, in the past 8 years we’ve moved far beyond simply “voice” into video over IP, text messaging over IP, data sharing over IP… all within a single communications session. Is that still “VoIP”?

Beyond that, we’ve seen a range of other terms coming into usage, including:

• unified communications (UC)
• real-time communications (RTC)
• cloud communications
• IP communications

and many more. Plus new technologies are out that have pushed “VoIP” beyond its traditional proprietary protocols and the open standard of the Session Initiation Protocol (SIP). We’ve seen the strong emergence of XMPP (Jabber) and its related “Jingle” protocol. We’ve seen the explosion of interest in the WebRTC / RTCWEB protocols and tools.

Are all of those “VoIP”? Or are they something more?

Should we be talking about…

• UC security?
• real-time communications security?
• IP communications security?

Or perhaps just plain old “communications security”? (or is that too generic?) I’ve seen some people talking about “SIP security”, but now that is specific to a single protocol.

Or is “VoIP security” still an okay term to use?

What do you think? What do you use? What do you hear vendors and others using? How should we be talking about securing all these many ways we have to communicate now over IP networks?

Please do let us know either as comments here or out on social networks. (Thanks!)

This morning The Next Web reported on an exploit where Skype’s password reset web page could be used to hijack a user’s Skype account using only the password associated with the account. So… if you could guess someone’s email address (which can often be found through a Google search), you could effectively take over their Skype account.

Microsoft/Skype has DISABLED this feature while they investigate further so it appears that for the moment the security risk is limited.

However, it may be wise to watch closely the email account associated with your Skype ID for the next bit to see if any random password reset messages are sent to your account. Odds are that attackers will be sniffing around trying to see if there is any other way to exploit the apparent vulnerability.

The Next Web team reports that they were able to reproduce the attack on two Skype accounts of willing victims, confirming that the vulnerability was indeed real. They also reported the issue to Skype and worked with folks there.

The vulnerability is interesting in that it shows the complexity of modern communication applications. Skype is for the most part a desktop/mobile application, but yet it does rely on a centralized cloud-based service for authentication/passwords, etc. A vulnerability in the web interface for that central service then weakens the security of the overall system.

The “good” news for Microsoft/Skype is that because this appears to be a vulnerability in the web interface of the centralized system, this is probably something relatively easy for them to fix – and without requiring any client updates.

Kudos to Microsoft/Skype for reacting quickly to minimize the risk and we look forward to the issue being addressed.

UPDATE #1: Skype has issued a brief statement on their “heartbeat” web site with the same text that has been quoted in several articles.

UPDATE #2: The Verge has an article out now where many people in the comments are suggesting you change the email address associated with your Skype account to something less likely to be guessed. While Microsoft seems to have removed the immediate attack vector and this change is no longer critical to do, it may be something some of you may want to consider.

UPDATE #3: There’s a long Hacker News thread on this issue that also includes a link to an article walking through the exploit step-by-step as well as walking through links to protect your account. Note that because of the steps Microsoft has taken the exploit steps no longer work.

This week Digium released three security advisories allowing remote authenticated sessions to either crash an Asterisk server or escalate user privileges.  The advisories are:

• AST-2012-004 - Asterisk Manager User Unauthorized Shell Access
• AST-2012-005 - Heap Buffer Overflow in Skinny Channel Driver
• AST-2012-006 - Remote Crash Vulnerability in SIP Channel Driver

In all cases the solution is to upgrade to the latest releases of Asterisk Open Source (1.6.2.24, 1.8.11.1 or  10.3.1 ) or Asterisk Business Edition (C.3.7.4).

Want to join in to a free webinar/webcast to learn about VoIP and Unified Communications security? Tomorrow, Thursday, January 26, 2012, I (Dan York) will be speaking as part of US Telecom’s monthly educational webinar series on the topic of: “Securing VoIP and Unified Communications Systems“

The session will be at 1:00pm US Eastern. Registration is free using the “Register Now” link on the right side of the US Telecom webinar page. I’ll be spending about 30 minutes covering the range of security issues with VoIP and UC and then will have plenty of time for questions.

The abstract of the session includes:

What are the major security threats to today’s telecommunications infrastructure?

As telecom has evolved from the traditional circuit-switched PSTN to a new world of Voice-over-IP (VoIP) and Unified Communications (UC), what are the security implications? As services move to be based on the Session Initiation Protocol (SIP), how does that change the security of the system? Is this new IP-based world less or more secure? What are the threats and what are the best practices to protect against those threats?

I’ve always found these sessions to be quite enjoyable to do and have always enjoyed the dialogue that frequently happens with questions. I encourage you to register and participate.

If you can’t join live, US Telecom will be making an archive of the session available for 90 days. I believe it will be linked from the webinar page, but if not I will update this post with the information.

The folks over at the Digium security team today released security bulletin AST-2011-012 for a remote crash vulnerability in the SIP channel drive. For info about the attack, they state only:

A remote authenticated user can cause a crash with a malformed request due to an uninitialized variable.

An assumption from this statement would be that an UNauthenticated user could not carry out this attack… but I admit to not personally knowing the SIP channel driver of Asterisk enough to be able to stand behind this conclusion.

Regardless, updates have been released in the form of new versions 1.8.7.1 and 10.0.0-rc1.

Fascinating news today that Avaya has acquired Sipera Systems for an undisclosed sum. We’ve covered Sipera here on this blog any number of times over the past years as they have been one of the few firms very specifically focused on “VoIP security”, or, to be more appropriately buzzword-compliant in 2011, “Unified Communications security.” In fact, the first video podcast I did for the Blue Box Podcast (when I was doing that) way back in August 2007 was with Sipera.

Over the years Sipera has hired some truly excellent people in the field, released some useful tools, originated great research and done a great bit in general to help keep the dialog going on publicly about VoIP/UC security.

The Avaya purchase is fascinating because, as Eric Krapf noted in a NoJitter post this morning, Avaya has been OEMing a Session Border Controller (SBC) solution from market leader Acme Packet for quite some time. As Eric notes:

The deal therefore could represent a shift in the enterprise SBC market, at a moment when E-SBCs are emerging as a key component of enterprise real-time communications deployments, especially in SIP trunking deployments. Acme Packet has been far and away the market share leader in SBCs, with over 50%, and its SBC works with all the leading enterprise communications platforms.

However, enterprise vendors including Cisco and Siemens (and now, it seems, Avaya) have released their own SBCs, and in the case of Siemens, the SBC only talks to Siemens platforms on the enterprise side of the device. It remains to be seen whether the Sipera SBC will work only with Avaya Aura–but it seems unlikely that anyone other than an Avaya customer would buy an Avaya SBC.

Now, the news release of course plays up how Sipera’s solutions work with both Avaya and non-Avaya systems but to Eric’s point there may in the future be little incentive for non-Avaya customers to purchase a solution, given that there are other “independent” players out there in the SBC market like Acme Packet, Ingate Systems, Sonus Networks and others.

Regardless of how it all shakes out, it is an interesting move and one that bears watching.

Congrats to our friends at Sipera and Avaya on the acquisition, and we look forward to seeing how it evolves.

Are you a vendor of SIP software or hardware devices? If so, do you support SRTP or SIP over TLS? If you do – or are thinking about doing so – why don’t you join Olle Johansson for some interoperability testing at SIPit 29, October 24-28, in Monaco?

Olle raised just that suggestion today in the VOIPSEC mailing list and said that he will be there focused on testing VoIP security (and also IPv6). As he said:

Customers need at least first hop TLS and SRTP to work as expected. They also need interoperability between devices. To get interoperability, everyone needs to work with it. It just doesn’t happen by accident. SIPit has been organised twice a year for 15 years in order to get the amount of interoperability we have today in SIP.

If you develop SIP software or devices – register for SIPit now. If you are a customer and have seen issues in this area, remind your vendors to participate. The more we are, the more time we can spend on VoIP protocol security.

The SIPit test events are outstanding places to go and test your software or hardware. For the relatively small fee and your time and travel, you have access to an incredible test bed in the form of all the other vendors participating. Where else will you get to interact with designers and engineers from all the major vendors and not only test your software/hardware, but also re-test your equipment if you try some fixes while you are there.

You still have time to register for SIPit29 and join Olle and others in the security testing.

P.S. If you aren’t aware of the SIPit events, more info can be found on the main SIPit site. They are held twice a year in various locations. The summaries of past SIPit events give you a good flavor for the type of testing that goes on.

News from the SUPEREVR security blog is that Skype for iOS is vulnerable to a cross-site scripting (XSS) attack that allows an attacker to send someone a message and, for instance, capture that user’s address book from their iPhone.

The author of the article posted a video that demonstrates the attack:

He further states in a tweet that he notified Skype of the vulnerability on August 24th:

In case anyone is wondering, I disclosed the vulnerability to Skype on 8/24. I was told an update would be released early this month.

Skype has issued a statement through their PR firm:

We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime, we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense Internet security as always.

Skype’s mitigation recommendation is a good one as the default privacy setting is typically that you can only receive chat messages from people on your Contact list. Therefore, the attacker would have to be someone who you have authorized and added to your contact list.

Meanwhile, hopefully Skype will be out with their update soon.

P.S. Hat tip to Tom Keating for writing about this exploit as that was where I first learned of it.

News out of the U.S. Federal Bureau of Investigation (FBI) last week was that a New Jersey man pled guilty to charges that he and his co-conspirators stole over $4.4 million USD of VoIP services from a range of VoIP service providers including AT&T, Verizon and many others.

Reading through the FBI news release, the scam really has nothing to do with “VoIP security”, per se, and everything to do with “social engineering.” Essentially, the group managed to appear to be a legitimate business so that VoIP service providers would let them resell their services to businesses. They then resold that service and pocketed the money without ever paying the service providers.

From the news release, it seems to have been a rather extensive scam:

To make it appear as if the shell companies were legitimate VoIP wholesalers and to induce the victim providers to extend credit to the companies on favorable terms, Tonangi and his co-conspirators took several fraudulent steps, including establishing fake business addresses for the shell companies at prominent New York locations, including the Empire State Building.

The co-conspirators also used Internet-based answering services that purported to connect callers to the shell companies’ various departments, such as accounts receivable and marketing, but really connected to cell phones controlled by the co-conspirators.

Tonangi and his co-conspirators created shell company e-mail accounts in the names of non-existent employees for communicating with victim providers; websites that contained false information, such as the names of non-existent employees and the companies’ fabricated qualifications to serve as VoIP wholesalers; and aliases to negotiate the purchase of VoIP services.

They also fabricated year-end financial reports that bore the logo of a national accounting firm in order to give the appearance that the shell companies’ financial reports had been reviewed by that firm.

When the victim providers sold VoIP services to the shell companies on credit, Tonangi and his co-conspirators would “bust out” the account by causing the companies to use substantially more VoIP services than the companies had been approved to buy in such a short period of time. The co-conspirators would do this over weekends and holidays so that the providers would not notice.

When the invoices for the services came due, the co-conspirators would send fake wire transfer confirmations via e-mail or submit small payments to keep the victim providers from cutting off service.

If victim providers sued or threatened to sue the shell companies, Tonangi and his co-conspirators would respond in legal pleadings or letters that they prepared in the name of a non-existent attorney, Frank Soss. Tonangi and Bhambhani created and used a fraudulent United States passport in the name Frank Soss by downloading and altering a exemplar passport image and photograph from the Internet.

Given the degree of subterfuge undertaken by the group, I’m not at all surprised that they fooled numerous companies into extending credit for VoIP services. When you are doing due diligence on a new customer, you would explore many of the avenues that these folks seem to have covered.

It’s not clear from the news release or any other information I’ve seen online what if any VoIP technology was used here but given that the group was acting as a legitimate business they didn’t need anything very sophisticated. Many software and service options would have met their needs.

It’s good to see the FBI successfully cracking this fraud ring… sadly I’m sure there will be others as we see the increased usage of VoIP across the industry.

P.S. Thanks to J. Oquendo in the VOIPSEC mailing list for alerting us to this news from the FBI.